Epsilon Breach a Sign of Coming 'CorpTechPocalypse'

By Rob Spiegel
Apr 4, 2011 2:08 PM PT

The world's largest permission-based marketing firm,
Epsilon, reported on Friday that its computer system was hacked and an unspecified number of email addresses and names were stolen. Epsilon sends around 40 billion emails a year on behalf of its 2,500 clients, which include major banks such as Capital One, JP Morgan Chase, Barclay's Bank, U.S. Bancorp and Citigroup, as well as e-commerce sites. Among the other companies warned about this breach are TiVo and Brookstone.

Epsilon did not respond to the E-Commerce Times' request for comments by press time.

Capital One and JP Morgan Chase have confirmed the incident and will be investigating the breach. The compromised files contain names and personal email addresses but not financial information, the companies said.

Customers should be extra-wary of emails that could be phishing attempts. They should ignore emails asking for confidential account or log-in information, Capital One advises, and remember that familiar looking links in an email can redirect to a fraudulent site.

Anyone who receives a suspicious-looking email claiming to be from Capital One should not click on any links provided, it said.

That's a sensible precaution for suspicious emails from any source, of course.

The Web Is Still the Wild West

The Internet can be a dangerous place for personal information.

"This is a very unfortunate incident," Azita Arvani, principal of the Arvani Group, told the E-Commerce Times, "but it reminds all of us that cyberthieves are constantly on the hunt for customer data of all kinds to perform their future schemes. The bigger the target, the bigger the rewards for cyberthieves."

When customers give their email address to a company, it could actually be going to a third-party marketer like Epsilon.

"In this case, the hackers managed to get into an outsourced e-marketing company that claims 2,500 large clients," said Arvani. "This should be a wake-up call to all outsourced marketing companies to see security at the heart of their operations. Big brands that outsource their marketing to others must require and constantly monitor that their customers' data is secured with best available tools."

Epsilon has not released a full list of the clients affected by the incident.

"The communication around this particular incident is concerning," said Arvani. "Epsilon has only put out a one-paragraph release with very little detail. They refer to a subset of' clients being affected by the incident. They mention the obtained information was limited to email addresses and/or customer names only, but unauthorized access to that kind of customer information could still lead to some unfortunate future phishing schemes, so it should not be discounted as low significance.

"The phishing schemes may not even happen now or in the near future, when customers have been warned to be on the alert," Arvani continued. "They may happen several months down the road, when the dust has settled and customers have forgotten about this incident. The incident was detected on March 30th, and five days later, they still don't have a new update."

Breaches Won't End Soon

When companies give private information to a third party, they also give it the responsibility to keep the data secure.

"This is the flipside of the ability to outsource various services," technology project manager and Geek 2.0 blogger
Steven Savage told the E-Commerce Times. "When many companies use one service, that service becomes a critical point of failure of all kinds. In this case, Epsilon -- who 99.999 percent of the population hasn't heard of -- is that point of failure."

Hackers can get personal information from multiple consumer bases when targeting third-party marketers.

"We're actually going to see more of this," said Savage. "A friend of mine coined the term
'CorpTechPocalypse' to note that mobile, SaaS, and other tools that provide IT services are here, and the usual corporate IT is going away. The problem with this inevitable trend is what we see here -- that companies providing information-based services become that point of failure."

Consumers will be looking for someone to blame.

"Many companies are mailing individuals about the breaches," noted Savage. "This is going to make more people aware of companies like Epsilon. Lawsuits always follow things like this. Expect some."

Following are some tactics Savage advises companies and consumers to use to protect information from cyberthieves.

For companies:

If you use an external service, do your research, including deep technical research if at all possible, make sure agreements and security are clearly spelled out, and stay informed.

Always, always make sure your company keeps up on technical issues like this one. I don't care how much you can outsource, you need to follow technical news on breaches, issues, problems, patches, what have you.

Companies should be very selective in what personal information they take and keep to minimize any damage done by a breach.

Reveal only minimally needed information in any case of turning information over to a company.

Different emails for different purposes can be helpful. Have one for personal, one for bill pay, etc. That way you minimize the damage of any one breach, and keep from confusing communications. Plus, if an official looking email lands in the wrong in-box, you're properly suspicious.

Follow the news. I can't emphasize this enough. These days following the news of basic technical trends, breaches, issues, patches is like following the weather -- you need the basics to function and avoid problems.